'how to terminate process with ebpf?
I want to send_sig_info to a process from inside bpf function (execve) but it won't load. I know that they added a helper function since kernel 5.3 but I'm working on a lower kernel. Is there a way to kill a process from bpf function?
Solution 1:[1]
I believe you are referring to the bpf_send_signal helper, introduced in Linux v5.3. As far as I know, before that helper was introduced, there was no way to terminate a process from a BPF program.
If you are trying to kill the current process from it's execve(2) execution, you may be able to rely on seccomp-bpf instead. Note that, since seccomp-bpf relies on cBPF instead of eBPF, you won't be able to filter on the arguments (on purpose, because of the risk of TOCTTOU attacks).
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | pchaigno |